552feb9d45
* chore(io): Migrate pkg/build to Medium abstraction - Updated io.Medium interface with Open() and Create() methods to support streaming. - Migrated pkg/build, pkg/build/builders, and pkg/build/signing to use io.Medium. - Added FS field to build.Config and updated build.Builder interface. - Refactored checksum and archive logic to use io.Medium streaming. - Updated pkg/release and pkg/build/buildcmd to use io.Local. - Updated unit tests to match new signatures. * chore(io): Migrate pkg/build to Medium abstraction (fix CI) - Fixed formatting in pkg/build/builders/wails.go. - Fixed TestLoadConfig_Testdata and TestDiscover_Testdata to use absolute paths with io.Local to ensure compatibility with GitHub CI. - Verified that all build and release tests pass. * chore(io): Migrate pkg/build to Medium abstraction (fix CI paths) - Ensured that outputDir and configPath are absolute in runProjectBuild. - Fixed TestLoadConfig_Testdata and TestDiscover_Testdata to use absolute paths correctly. - Verified that all build and release tests pass locally. * chore(io): Migrate pkg/build to Medium abstraction (final fix) - Improved io.Local to handle relative paths relative to CWD when rooted at "/". - This makes io.Local a drop-in replacement for the 'os' package for most use cases. - Ensured absolute paths are used in build logic and tests where appropriate. - Fixed formatting and cleaned up debug prints. * chore(io): address code review and fix CI - Fix MockFile.Read to return io.EOF - Use filepath.Match in TaskfileBuilder for precise globbing - Stream xz data in createTarXzArchive to avoid in-memory string conversion - Fix TestPath_RootFilesystem in local medium tests - Fix formatting in pkg/build/buildcmd/cmd_project.go * chore(io): resolve merge conflicts and final migration of pkg/build - Resolved merge conflicts in pkg/io/io.go, pkg/io/local/client.go, and pkg/release/release.go. - Reconciled io.Medium interface with upstream changes (unifying to fs.File for Open). - Integrated upstream validatePath logic into the local medium. - Completed migration of pkg/build and related packages to io.Medium. - Addressed previous code review feedback on MockMedium and TaskfileBuilder. * chore(io): resolve merge conflicts and finalize migration - Resolved merge conflicts with dev branch. - Unified io.Medium interface (Open returns fs.File, Create returns io.WriteCloser). - Integrated upstream validatePath logic. - Ensured all tests pass across pkg/io, pkg/build, and pkg/release. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
103 lines
2.8 KiB
Go
103 lines
2.8 KiB
Go
package signing
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"os/exec"
|
|
"runtime"
|
|
|
|
"github.com/host-uk/core/pkg/io"
|
|
)
|
|
|
|
// MacOSSigner signs binaries using macOS codesign.
|
|
type MacOSSigner struct {
|
|
config MacOSConfig
|
|
}
|
|
|
|
// Compile-time interface check.
|
|
var _ Signer = (*MacOSSigner)(nil)
|
|
|
|
// NewMacOSSigner creates a new macOS signer.
|
|
func NewMacOSSigner(cfg MacOSConfig) *MacOSSigner {
|
|
return &MacOSSigner{config: cfg}
|
|
}
|
|
|
|
// Name returns "codesign".
|
|
func (s *MacOSSigner) Name() string {
|
|
return "codesign"
|
|
}
|
|
|
|
// Available checks if running on macOS with codesign and identity configured.
|
|
func (s *MacOSSigner) Available() bool {
|
|
if runtime.GOOS != "darwin" {
|
|
return false
|
|
}
|
|
if s.config.Identity == "" {
|
|
return false
|
|
}
|
|
_, err := exec.LookPath("codesign")
|
|
return err == nil
|
|
}
|
|
|
|
// Sign codesigns a binary with hardened runtime.
|
|
func (s *MacOSSigner) Sign(ctx context.Context, fs io.Medium, binary string) error {
|
|
if !s.Available() {
|
|
return fmt.Errorf("codesign.Sign: codesign not available")
|
|
}
|
|
|
|
cmd := exec.CommandContext(ctx, "codesign",
|
|
"--sign", s.config.Identity,
|
|
"--timestamp",
|
|
"--options", "runtime", // Hardened runtime for notarization
|
|
"--force",
|
|
binary,
|
|
)
|
|
|
|
output, err := cmd.CombinedOutput()
|
|
if err != nil {
|
|
return fmt.Errorf("codesign.Sign: %w\nOutput: %s", err, string(output))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Notarize submits binary to Apple for notarization and staples the ticket.
|
|
// This blocks until Apple responds (typically 1-5 minutes).
|
|
func (s *MacOSSigner) Notarize(ctx context.Context, fs io.Medium, binary string) error {
|
|
if s.config.AppleID == "" || s.config.TeamID == "" || s.config.AppPassword == "" {
|
|
return fmt.Errorf("codesign.Notarize: missing Apple credentials (apple_id, team_id, app_password)")
|
|
}
|
|
|
|
// Create ZIP for submission
|
|
zipPath := binary + ".zip"
|
|
zipCmd := exec.CommandContext(ctx, "zip", "-j", zipPath, binary)
|
|
if output, err := zipCmd.CombinedOutput(); err != nil {
|
|
return fmt.Errorf("codesign.Notarize: failed to create zip: %w\nOutput: %s", err, string(output))
|
|
}
|
|
defer func() { _ = fs.Delete(zipPath) }()
|
|
|
|
// Submit to Apple and wait
|
|
submitCmd := exec.CommandContext(ctx, "xcrun", "notarytool", "submit",
|
|
zipPath,
|
|
"--apple-id", s.config.AppleID,
|
|
"--team-id", s.config.TeamID,
|
|
"--password", s.config.AppPassword,
|
|
"--wait",
|
|
)
|
|
if output, err := submitCmd.CombinedOutput(); err != nil {
|
|
return fmt.Errorf("codesign.Notarize: notarization failed: %w\nOutput: %s", err, string(output))
|
|
}
|
|
|
|
// Staple the ticket
|
|
stapleCmd := exec.CommandContext(ctx, "xcrun", "stapler", "staple", binary)
|
|
if output, err := stapleCmd.CombinedOutput(); err != nil {
|
|
return fmt.Errorf("codesign.Notarize: failed to staple: %w\nOutput: %s", err, string(output))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ShouldNotarize returns true if notarization is enabled.
|
|
func (s *MacOSSigner) ShouldNotarize() bool {
|
|
return s.config.Notarize
|
|
}
|